topic Re: need prisma RQL query to fetch account name where "xxx" cloudtrail account is not present in Prisma Cloud Discussions

need prisma RQL query to fetch account name where "xxx" cloudtrail account is not present

mahendars — Tue, 05 Dec 2023 19:10:02 GMT

need prisma RQL query to fetch account name where "xxx" aws cloudtrail account is not present, whichever account is not present, I should list that account as Non-compliant, and if "xxx" present and is not matching specific configuration also list out as non-compliant, is this possible????

I have split queries, how would merge this queries and show all required results.
config from cloud.resource where api.name ='aws-cloudtrail-describe-trails' AND json.rule = name equal "xxx" as X; count(X) less than 1
#this above one would list down all the accounts where "xxx" cloud trail is not present

config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-cloudtrail-describe-trails' and json.rule = name equals "xxx" and trailARN contains ":us-east-1"

Re: need prisma RQL query to fetch account name where "xxx" cloudtrail account is not present

MDavis29 — Mon, 29 Jan 2024 21:36:54 GMT

At this time we do not have an API that we ingest that shows the AWS account information and if cloud trail is enabled on the account. I checked the json on the two API’s that would fall under your request and nothing related to cloud trail is displayed. Let me check with the team if we have another workaround, but use the below query below to get more details on the cloudtrail status.

config from cloud.resource where api.name= 'aws-cloudtrail-describe-trails' as X; config from cloud.resource where api.name= 'aws-cloudtrail-get-trail-status' AND json.rule = 'status.isLogging equals true' as Y; filter'($.X.name equals $.Y.trail)'; show Y; count(Y) less than 1